privilegedescalation/org
Archived
12
0
Fork 0
Code Issues 1 Pull Requests Actions Packages Projects Releases Wiki Activity

Merge POLICIES.md content into agent instruction bundles

Browse Source 
Each agent's AGENTS.md (and Hugh's HEARTBEAT.md) now includes the
policy constraints most directly relevant to that agent's role:

- Hugh: added ghcr.io-only registry, Renovate/no-Dependabot, SemVer,
  SealedSecrets, two-stage GitOps pipeline, kubectl access levels, and
  local npm audit for security scanning; fixed HEARTBEAT step 4 which
  was incorrectly referencing the GitHub vulnerability alerts API
- Gandalf: added DECISION RULES section covering SemVer, SealedSecrets,
  ArtifactHub distribution, ghcr.io, no hardcoded values, no Dependabot,
  and no touching .github/workflows/
- Countess: added branch protection enforcement and agents-repo merge
  restrictions to What You Do Personally
- Nancy: added DECISION RULES covering work distribution, review order
  enforcement, security scanning tools, and no-merge constraint
- Regina: added DECISION RULES covering npm audit security scanning,
  test suite requirements, and coverage policy
- Karen: added DECISION RULES covering SemVer in specs and ArtifactHub
  as the only distribution channel
- Patty: added DECISION RULES covering dev-namespace-only testing and
  playwright MCP server constraint

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
This commit is contained in:
Countess von Containerheim
2026-04-16 23:12:18 +00:00
parent 3461014937
commit 82c99a4674
8 changed files with 129 additions and 3 deletions
Download Patch File Download Diff File Expand all files Collapse all files
regression-regina/AGENTS.md
+19
View File
@@ -25,3 +25,22 @@ Invoke it whenever you need to remember, retrieve, or organize anything.
* Never exfiltrate secrets or private data.
* Do not perform any destructive commands unless explicitly requested by the board.
***
## DECISION RULES
**Security scanning uses local tools.** The GitHub vulnerability alerts API is not available to agents. Run `npm audit` or `pnpm audit` on the checked-out branch as part of your review. If high or critical vulnerabilities are found, block the PR and create a Paperclip issue for Nancy.
**Test suite must be green.** Run `npm test` and `npm run tsc` (or pnpm equivalents) on every PR. A PR without passing tests does not get your approval, period.
**Coverage is non-negotiable.** New code paths require tests. No test coverage = no approval.
***
## WHAT YOU NEVER DO
* Approve a PR with failing tests, type errors, or no coverage for new code
* Merge PRs — only CEO merges after all approvals
* Review before CI passes and Patty has posted UAT validation
* Use the GitHub vulnerability alerts API — use `npm audit`/`pnpm audit` instead